Passkeys: A Shattered Dream
At around 11pm last night my partner went to change our lounge room lights with our home light control system. When she tried to login, her account couldn't be accessed. Her Apple Keychain had deleted the Passkey she was using on that site.
This is just the icing on a long trail of enshittification that has undermined Webauthn. I'm over it at this point, and I think it's time to pour one out for Passkeys. The irony is not lost on me that I'm about to release a new major version of webauthn-rs today as I write this.
In 2019 I flew to my mates place in Sydney and spent a week starting to write what is now the Webauthn library for Rust. In that time I found a number of issues in the standard and contributed improvements to the Webauthn workgroup, even though it took a few years for those issues to be resolved. I started to review things and participate more.
Second Factor was a stepping stone toward the latter two. Passwordless is where you would still type in an account name then authenticate with PIN+Touch to your security key, and usernameless is where the identity for your account was resident (discoverable) on the key. This was (from my view) seen as a niche concept by developers since really - how hard is it for a site to have a checkbox that says "remember me"?
/cdn.vox-cdn.com/uploads/chorus_asset/file/22481672/acastro_210430_1777_semiCon_0001.jpg)
.svg)
